Hackers targeted Syria opposition member, deployed Honey Trap

Posing themselves a female supporters, hackers targeted Syrian opposition members with online “honeytraps” to steal battle plans and the identity of the detectors.

FireEye, a US cyber-security firm describes in its report how the hacking operations in late 2013 and early 2014 targeted Syrian opposition fighters, media activists and humanitarian aid workers.

However, it is still in doubt whether the report has been passed on to Syrian Govt. or the identity of hackers is revealed. The hacked material included a detailed opposition military plan to recapture the town of Khirbet Ghazaleh, strategically located in southern Daraa province in 2013.

“The hackers stole a cache of critical documents and Skype conversations revealing the Syrian opposition’s strategy, tactical battle plan, supply need, and the troves of personal information and chat session,” the report said. The hackers provided “actionable military intelligence for an immediate battlefield advantage” in case of the planned Khirbet Ghazaleh attack.

It captured “the type of insight that can thwart a vital support route, reveal a planned ambush and identify and track key individuals.” Regardless of the high tech tools used in the attack, the hackers also relied on a well-worn tactic – the “honeytrap”.

So, here is how it actually worked. Hackers, posing as women supporters contacted the targets via chat and online phone service “Skype”. They enquired about the device targets were using – Smartphone or PC, apparently in a bid to tailor their attacks.

Then, the hackers would send photos of themselves to the targets which in real, is the malware package – penetrating their personal files and stealing information.

This method came out to be very useful because Syrian opposition members were often sharing computers, meaning one machine yielded information from multiple victims.

The stolen data mostly consisted of information created between May 2013 and December 2013, but some of the Skype chat logs went back to 2012 and others included information from as recently as January 2014.

Deploying not only “honeytrap”, hacker precisely used othertactics like creating fake social media account and Syrian opposition websites that encouraged visitors to click on the links that would infect their computers/other devices.

In May 2013, regime troops stormed Khirbet Ghazaleh which was rebel-high at that time and being used to block the highway between Damascus and Daraa. The report was unable to identify the identities and whereabouts of hackers. But it was found that servers used by hacker were based in Syria in spite of the fact that the methods used by them to exploit were totally different from that of Syrians.